Home page logo

basics logo Security Basics mailing list archives

Re: Frequent offenders list
From: "Johannes Ullrich" <jullrich () euclidian com>
Date: Tue, 26 Nov 2002 07:16:13 -0500

Thanks to everyone who responded... the verdict is definitely dshield. I
was considering making it standard practice to block these addresses at
my firewall and update on a weekly basis.  I'm interested in what others
think about this - recommended/valuable or not?  So far I haven't seen
that the list of addresses at dshield match any of those that are
portscanning us but I figured it couldn't hurt.

Vinod Yegneswaran, a student at the Univ. of Wisconsin, just wrote a
paper looking into this question:

If you intent to use the list for blocking, I recommend our 
official block list. See http://www.dshield.org/block_list_info.html
for more details.

The '100 targets' list was setup after people asked for a more
extensive blocklist. So you can give it a try and see how it works
for you. 

Using a list based on correlated data from a large user group makes
spoofing harder but not impossible. While the block list is regularly
reviewed for 'sane-ness', the '100 targets' list is too large to
do the same.

Usually, I am discouraging the use of the top 10 list, as it is too

Another note: While the data feeds from DShield are free to use, we
hope you find them useful enough to contribute to the system by 
sending your own logs.

jullrich () euclidian com             Collaborative Intrusion Detection
                                         join http://www.dshield.org

Attachment: _bin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]